- Users update their Flash player â€“ Based on the nature of the issue, Iâ€™m not certain of how much benefit to this there is, but might as well patch anyway if there is one available.

- Disable or block Flash content â€“ I think most people reading this probably already do some form of Flash blocking, but for everyone else, there are simply not going to.

Now, the "some form of Flash blocking" Jeremiah's talking about is most likely NoScript, which:

Blocks Flash (and other plugins) by default when the content comes from an untrusted web site

Blocks Flash (and other plugins) by default when content from a trusted website is embedded in an untrusted page - this prevents embedded Flash XSS

Checks cross sites requests for script injection and sanitizes them as needed - this prevents reflected XSS, included the Flash variants

The best thing, making this approach much more viable than "disabling Flash content" tout-court, is that you can allow individual blocked content pieces with a click, having a chance to examine their types and full addresses before running them: this is what may save you from being owned in a Flash ;)

This entry was posted on Sunday, January 6th, 2008 at 8:54 am and is filed under XSS, Flash, Security, NoScript. You can follow any responses to this entry through the RSS 2.0 feed.
Both comments and pings are currently closed.

6 Responses to “Flash XSS Protection For Users”

Well, since some Noscript updates that were installed, I noticed that embedded Adobe pdf files were disabled by default. Browsing through the Nosctipt options, I saw that Adobe flash extensions were untrusted.

As a student, using the internet as a source of information is very necessary and i encounter adobe pdf files very often. So, may I request that Noscript has a seperate choice for adobe pdfs in some future updates? cause it would be great for me, and I will not have to click "allow" all the time. I'm also sure that there are many users out there that will share my inconvenience.

@TikaL:
Flash XSS can do anything a "traditional" JavaScript XSS can do, from credential theft to session riding (impersonating yourself across the current session) to complex CSRF despite anti-CSRF protections which may be implemented on the target web site.

Rich Cannings recently documented Flash-based XSS clarifying with some examples the quite fuzzy coverage this issue received so far.Its “The Fix / Users” section says:Update to the latest version of Flash Player plugin. This will protect ...